[ic] MAGJOR New Account BUG!!!

Sonny Cook sonny@akopia.com
Mon, 30 Oct 2000 17:00:55 -0600 (CST) 

Looks like we tracked this down.  The problem is caused by a user in the
userdb with a blank username.  This user will show up when no one is
logged in.  In our tests, this problem showed up under the gdbm (default)
database, but not with mysql.  Normally, you shouldn't be able to create a
user with no username, but...

The bug is in the admin order section where you can enter a new order.
When you select a specific customer from the customer section, you have
the option of entering a new order for that customer.  If you delete the
customer id and check the new customer box and then complete the order, a
new customer will be created with that customers original information and
a blank customer id.

If you run into this problem, you can fix it a couple of different ways.
First, export the database, and then edit the userdb.txt.  If the spurious
customer has useful order information in it, then go ahead and put a new
username into the first field.  Otherwise, just delete that line.  Save
and then re-import the database.  That should correct/remove the offending
customer record.

 ---
Sonny Cook 
Akopia

"I don't want fifteen dollars."  --Franklin D. Rooselvelt

On Mon, 30 Oct 2000, Eric Hull wrote:

> Go to www.webuildpcs.com or try on your own ic site.
> I would try on ours becasue we know the problem is here.
> 
> >From the first page, click on the log in button on the top of the site, then
> click on new account button, then the last person who created an account has
> their info in the fields.  After you screw around for a while on the site,
> or go in with something in your basket - this does not always appear.
> 
> Eric Hull
> 
> -----Original Message-----
> From: interchange-users-admin@minivend.com
> [mailto:interchange-users-admin@minivend.com]On Behalf Of Cameron B.
> Prince
> Sent: Monday, October 30, 2000 11:49 AM
> To: interchange-users@minivend.com
> Subject: RE: [ic] MAGJOR New Account BUG!!!
> 
> 
> Have you been able to duplicate this? Can you provide exact steps to do so?
> 
> This is a disturbing situation, but we must first rule out the possibility
> of problems with the code in your account and login pages.
> 
> I am aware of the problem with the error codes and error checking on the
> account page, but I have never seen this problem.
> 
> Cameron
> 
> 
> -----Original Message-----
> From: interchange-users-admin@minivend.com
> [mailto:interchange-users-admin@minivend.com]On Behalf Of Eric Hull
> Sent: Monday, October 30, 2000 9:54 AM
> To: interchange-users@minivend.com
> Subject: RE: [ic] MAGJOR New Account BUG!!!
> 
> 
> This is a BIG PROBLEM - here is an email I recieved from a customer:
> 
> There appears to be a possible security problem with your site.
> I just tried to create an account at your site, and it appeared to
> accept the account name ("wendy") and password that I entered, then
> displayed the message "Welcome to webuildpcs.com, Theresia!" The account
> information associated with that name is for a Theresia Edgar, in GA,
> and it has nothing to do with me.
> 	From a customer's perspective, this is very disturbing. If this
> Theresia is a real person, there is no way I should have been able to
> see her account information, accidentally or otherwise. It certainly
> does not inspire customer confidence in your security! If, on the other
> hand, that account information is intended as a "blank", a starting point,
> I would have to suggest to you that it is a bad idea, as it is confusing
> and misleading at best. At worst, it looks like a security breach which
> would undoubtedly turn customers away. Blank fields would be better.
> 	The primary reason that I am telling you about this is so that if
> it is in fact a security issue, you can correct it before someone takes
> malicious advantage of it. The other reason is that I worked in customer
> service for a long time, and was constantly told that 90% of the customers
> who go to competitors to do their business will never tell you why. So
> when someone submits a complaint or request, it is a rare chance to fix
> a problem that is probably coming between you and many, many more potential
> customers than just the ones who bother to tell you..
> 	In the meantime, I do still want to order two computer cases from
> you, but given the nature of the problem, I'm going to be prudent and
> wait until business hours to call the order in.
> 
> What the heck is the problem with IC?
> we have searched and searched and found no docs on this or even where to
> "refresh" this page - I have to take our site ofline now and that means I
> will be losing $$$
> 
> Eric Hull
> 
> -----Original Message-----
> From: interchange-users-admin@minivend.com
> [mailto:interchange-users-admin@minivend.com]On Behalf Of Strider
> Centaur
> Sent: Thursday, October 26, 2000 9:36 PM
> To: interchange-users@minivend.com
> Subject: Re: [ic] MAGJOR New Account BUG!!!
> 
> 
>     I will second this as I have seen the same thing here in testing, I
> think this
> is part of the error handling schema and a lack on the part of Interchange
> to tell
> if this is the first time or not this form is being displayed to a user.
> In
> other words there seems to be a big flaw in the state checking of the order
> page,
> anyone have any ideas?
> 
>     BTW, we have our first store in production and all seems well the URL is
> http://www.greenpond.com and any comments or questions are always
> appreciated, you
> can send them to me or info@pwrgroup.com.   :-)
> 
> 
> 
> 
> Beriah Dutcher wrote:
> 
> > Hey Everybody,
> >
> >         Well, my interchange web is doing good. Been getting 200 hits a
> day and
> > LOTS of items placed in baskets. However, FEW orders placed. I equated
> this
> > to first, the lack of a Secure Cert, second the price of shipping, then
> > yesterday I found a slight problem. When I got the secure thing fixed and
> > the shipping was dropped all the way to EXACTY what UPS charges we were
> > STILL not getting orders.  So I had a phone order yesterday and asked the
> > customer to go through the web and place an order(gave him 5 bucks off his
> > purchase :) ) He called back with the problem at hand. When creating a new
> > account either fromt he login page or the processing page link. The new
> > account page fills itself in with the data of LAST person that created an
> > account!!! Very VERY bad. This gives out the person address and phone and
> > EVERYTHING. I have not figured out why this is happening so I thought I
> > would write the list.
> >
> > Beriah
> >
> > _______________________________________________
> > Interchange-users mailing list
> > Interchange-users@www.minivend.com
> > http://www.minivend.com/mailman/listinfo/interchange-users
> 
> --
> Strider Centaur
> HTTP://www.Scifi-Fantasy.com
> 
>    " It is my observation that unless you really understand the issues, you
> are
> hardly in a position to criticize.   Nearly all Linux users have used
> Windows,
> but very few Windows users have used Linux. " -- Me
> 
> 
> 
> 
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@www.minivend.com
> http://www.minivend.com/mailman/listinfo/interchange-users
> 
> 
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@www.minivend.com
> http://www.minivend.com/mailman/listinfo/interchange-users
> 
> 
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@www.minivend.com
> http://www.minivend.com/mailman/listinfo/interchange-users
> 
> 
> _______________________________________________
> Interchange-users mailing list
> Interchange-users@www.minivend.com
> http://www.minivend.com/mailman/listinfo/interchange-users
>